2020-03-20 06:30:10 +01:00
# Security Policy
2020-09-18 14:47:53 +02:00
At CAOS we are extremely grateful for security aware people who disclose vulnerabilities to us and the open source community. All reports will be investigated by our team.
2020-03-20 06:30:10 +01:00
## Supported Versions
2021-04-20 14:04:02 +02:00
| Version | Supported |
| ------- | ------------------ |
| 1.x.x | :white_check_mark: |
| 0.x.x | :x: |
2020-03-20 06:30:10 +01:00
## Reporting a vulnerability
2020-09-18 14:47:53 +02:00
To file an incident, please disclose it by e-mail to security@zitadel.ch including the details of the vulnerability.
2020-03-20 06:30:10 +01:00
At the moment GPG encryption is no yet supported, however you may sign your message at will.
### When should I report a vulnerability
2020-09-18 14:47:53 +02:00
* You think you discovered a
* potential security vulnerability in `ZITADEL`
* vulnerability in another project that `ZITADEL` is based on
2020-03-20 06:30:10 +01:00
* For projects with their own vulnerability reporting and disclosure process, please report it directly there
### When should I NOT report a vulnerability
* You need help applying security related updates
* Your issue is not security related
## Security Vulnerability Response
TBD
## Public Disclosure
2020-09-18 14:47:53 +02:00
All accepted and mitigated vulnerabilities will be published on [ZITADEL's GitHub Security Page ](https://github.com/caos/zitadel/security/advisories ).
2020-03-20 06:30:10 +01:00
### Timing
We think it is crucial to publish advisories `ASAP` as mitigations are ready. But due to the unknown nature of the discloures the time frame can range from 7 to 90 days.